• As a candid session at RSAC™ 2026 Conference revealed, if you’re connected to a supply chain, you’re already at risk of sophisticated nation-state attacks. 
• Nation-state actors are using trusted tools, cloud services, and valid credentials to blend into normal activity, making their deeds harder to detect. 
• Smaller, under-resourced organizations are especially vulnerable to these attacks, intensifying the need for unified visibility across endpoints, network, and data. 

Many organizations run on a quiet assumption: nation-state attackers go after governments and global enterprises, not companies their size. At the RSAC 2026 Conference, Symantec Fellow Eric Chien delivered a reality check: "There isn't a sector out there that isn't being attacked by nation-states."

With attackers moving deeper into supply chains, the idea that nation-states are only interested in governments and large enterprises is outdated and dangerous, especially for smaller organizations with leaner security teams and limited resources. 

The good news? Understanding these attacks and the motivations behind them is your first step toward a better defense. 

The nation-state threat has gone downmarket 

For years, the vast majority of organizations (those that aren’t large enterprises with large enterprise-scale SOCs) have assumed sophisticated cyber attacks were simply someone else’s problem. That couldn’t be farther from the truth. 

Nowadays, any organization may exist in a supply chain that places them just a few steps away from a military or government entity. That’s because everything is connected. Cloud platforms. SaaS ecosystems. Vendors. Contractors. Suppliers. And nation-states have taken note. 

China: Economic warfare at scale 

The most prolific of the nation-states discussed during the session, China continues to focus heavily on intellectual property theft and long-term economic advantage. What’s changed is who’s carrying out the work. 

China relies on contractors (what I call cyber mercenaries), to carry out attacks on behalf of the state. But those same contractors are now “moonlighting,” using state-sponsored access and tooling to extort organizations for personal gain on the side, blurring the lines between state activity and financially motivated cybercrime. 

North Korea: Cybercrime funding regime 

Not much has changed for North Korea’s motivations. Their unique fixation on cold, hard cash (Cybercrime is estimated to account for up to half of North Korea’s state budget) has led to some creative schemes. Alongside ransomware, bank heists, and their usual cryptocurrency threats, North Korean bad actors have expanded into fake remote IT worker schemes, using AI-generated identities and deepfakes to land legitimate jobs at American companies and funnel salaries back to the regime.

“If they can think of a way to make money off of you, they will try,” Chien noted. 

Russia: Highly skilled and still formidable  

Primarily focused on Ukraine, Russia has become especially adept at targeting critical systems like power grids. They’ve also started to pioneer attacks on enterprise cloud services, expanding their reach even further.  

What sets Russian attackers apart is the scale of collateral damage they leave behind. Using broad phishing campaigns and spray-and-pray tactics, Russia’s large-scale attacks often impact organizations far outside their desired target. Even companies with no geopolitical relevance have found themselves caught in the massive fallout. 

Iran: Destruction over stealth

Iran’s attacks may be considered less sophisticated in comparison, but that doesn’t make them less dangerous. Forgoing stealth, Iranian groups often focus on disruption and destruction, wiping out systems, bricking devices, and causing major damage once they gain access. They’re very adept at social engineering, often targeting the supply chain. 

Recent telemetry and sensors suggest that following reports of a physical military strike on one of Iran’s cyber warfare offices, there has been a noticeable decline in the number of footholds observed on any given day. That said, Chien warns this should be interpreted carefully, as all it really takes is one single access point for Iran to make a devastating impact. 

Despite their different motivations, these nation-state groups are noticeably relying on the same playbook: blending into “normal” activity by abusing legitimate infrastructure, trusted tools, and valid credentials. All of which are much harder to spot using traditional security approaches. 

The attack chain you know is gone 

Instead of relying more on custom malware, attackers now use PowerShell, remote management tools, HTTPS traffic and trusted cloud platforms to move laterally and exfiltrate data. 

“Traditional endpoint file scanning, to be frank, is useless,” Chien noted. That’s because many of these modern attacks revolve around context. 

A PowerShell execution on its own may not look strange. Neither would a OneDrive upload or a remote administration tool taking action. But together, those seemingly harmless activities can reveal an attack chain already halfway through to its objective.

For security teams, it’s no longer enough to identify known bad files. This shift towards determining when otherwise normal activity becomes suspicious based on everything else happening around it can prove especially difficult for smaller organizations with limited visibility across endpoints, networks, and data. 

Why smaller organizations are the first to struggle 

Large enterprises have spent years building layered defenses capable of correlating endpoint activity, network telemetry, cloud behavior, and sensitive data movement. They’ve invested heavily into their SIEMs, stitching together what they need, and funding the teams needed for its management. Unfortunately, smaller organizations typically don’t have that luxury. Many lack the staff, budget, and operational expertise needed to integrate and manage fragmented security tools. But the gap just keeps growing. 

For things to change, smaller organizations need security that helps them quickly understand which disconnected signals matter, how they relate to each other, and when “normal” is actually a sign of malicious activity.

Symantec® CBX: Built precisely for this moment

With AI accelerating both the scale and speed of attacks, organizations that once relied on security through obscurity are unlikely to remain hidden for long. The level of visibility and correlation once reserved for large enterprises is quickly becoming the baseline for security everywhere. 

Combining the award-winning capabilities from both Symantec and Carbon Black® into a unified cloud-based platform, Symantec CBX brings together endpoint, network, and data security to help organizations better understand what goes on in their environment. 

For an analyst, the hard part is rarely a single alert; it's knowing which alerts belong together: 

A PowerShell script runs on an endpoint. Minutes later, a sensitive file syncs to OneDrive. A remote-management tool opens a session to another host. In three separate consoles, each event looks survivable. As one correlated sequence, it's an intrusion already well underway. Symantec CBX curates endpoint, data, and network telemetry into that single view, so the analyst spends less time reconstructing what happened across tools and more time deciding what to do about it.

The takeaway from Chien's session isn't that the sky is falling. It's that the thing protecting smaller organizations was never obscurity — it was the bet that someone else would always be the easier target. That bet no longer pays. What replaces it is less dramatic than it sounds: the ability to see a sequence where you used to see scattered events, and to catch it before the sequence finishes. That capability once required an enterprise budget. It's becoming the baseline, and it's one smaller teams can actually reach.

That's where CBX Fest comes in. The five-part series goes domain by domain — endpoint, network, and data — so analysts can see exactly how the correlation works before deciding whether it fits their environment.

Q&A: Nation-state attacks, supply chain risk, and modern detection challenges

What makes nation-state cyber attacks dangerous?

Nation-state cyber attacks, which are attacks and activity linked to state-backed actors, are dangerous because they often operate inside normal business ecosystems by abusing trusted tools, cloud services, and valid credentials instead of obvious malware. This allows their activity to blend into everyday operations, and because many organizations sit somewhere in a larger supply chain, even smaller businesses can become part of the broader attack surface.

Why are smaller organizations no longer protected by obscurity?

Modern attackers don’t need to directly target high-profile companies to cause impact. Any organization, no matter how small, that is connected to a supply chain could be exposed. Nation-state groups increasingly rely on legitimate tools like PowerShell, SaaS platforms, and remote administration utilities, making malicious activity appear normal and much harder to detect, especially by smaller, less-resourced security teams. 

What should security teams do to better detect and respond to these attacks?

Security teams should focus on building unified visibility across endpoints, network activity, and data movement rather than relying on isolated tools. Modern attacks only become visible when seemingly normal actions are correlated into a broader pattern of behavior. Platforms like Symantec CBX combine multiple telemetry sources to help teams understand context, detect suspicious activity earlier, and reduce the burden on lean security operations teams.